b"                                         SOCIAL SECURITY\nMEMORANDUM\n\nDate:      December 20, 2002                                                 Refer To:\n\nTo:        Martin H. Gerry\n           Deputy Commissioner\n            for Disability and Income Security Programs\n\nFrom:      Assistant Inspector General\n            for Audit\n\nSubject:   Evaluation of the Accelerated eDib System \xe2\x80\x93 Third Assessment (A-14-03-13047)\n\n\n           The Social Security Administration\xe2\x80\x99s (SSA) Office of the Inspector General (OIG), has\n           completed its third assessment in our on-going evaluation of the Accelerated eDib\n           (AeDib) system (formerly the Electronic Disability or eDib) system. We provided many\n           of our ideas and concerns during the eDib planning process through participation in the\n           AeDib Steering Committee.\n\n           As part of the assessment, we considered the following issues:\n\n           \xc2\xb7   The eDib\xe2\x80\x99s Program Management Plans and Risk Management Plans.\n           \xc2\xb7   The AeDib cost benefit analysis (CBA).\n           \xc2\xb7   Oversight of the AeDib System by its Steering Committee.\n           \xc2\xb7   The AeDib Project Plan.\n           \xc2\xb7   The Project Scope Agreement (PSA) for Enterprise Document and Imaging\n               Management Architecture (EDIMA) for the AeDib Project.\n           \xc2\xb7   The internal controls necessary in scanning hardcopy disability evidence at remote\n               sites.\n\n           The eDib Program Management Plans and Risk Management Plans\n\n           During the October 2, 2001, meeting of the eDib Steering Committee, OIG expressed\n           concern that the eDib Program Management Plan dated August 3, 2000, neither\n           addressed security nor evaluated the risks involved in eDib program development.\n           OIG's concerns were partially addressed in the November 14, 2001, eDib Program\n           Management Plan.\n\x0cPage 2 - Martin H. Gerry\n\n\nHowever, the plan did not address the risks associated with security, fraud, hackers and\ncomplexity of the system. Instead, the Risk Management Plan addressed development\nrisks, which could be incurred during systems development, such as cost, schedule,\nintegration/technical and mission. While system development risks should be\nconsidered, it is as important to address risks that relate to internal controls and\nsecurity.\n\nSSA added the OIG\xe2\x80\x99s recommendations to address internal controls and added risks\nassociated with fraud, hackers and complexity of the system to its January 31, 2002,\neDib Program Management Plan (See Attachment A). However, the Booz Allen\nHamilton contract only required conducting a process risk assessment, which would\nevaluate risks such as the ability to deliver the AeDib system on a timely basis.\n\nOIG informed the AeDib Steering Committee about the necessity of conducting a\nsecurity risk assessment. For the fiscal year ending September 30, 2001, SSA\nprocessed an average of 2.2 million initial disability benefits. For a system that is so\nimportant to so many Americans, a security risk assessment, during the early stages of\nsystems development, should be both cost effective and essential. A security risk\nassessment would help ensure that a fully operational AeDib System will operate with\nan appropriate level of controls to help prevent fraudulent transactions and minimize\nrisk. A security risk assessment is also required during system development by the\nOffice of Management and Budget (OMB),1 which utilizes guidelines issued by the\nNational Institute of Standards and Technology (NIST),2 and also by SSA\xe2\x80\x99s own Project\nResource Guide (PRIDE).3\n\nAt the December 17, 2002, AeDib Steering Committee, it was announced that based on\nthe recommendations of our OIG, the Agency will be conducting a risk assessment of\nthe AeDib system.\n\nThe AeDib Cost Benefit Analysis\n\nAt the request of SSA, OIG reviewed the AeDib CBA. OIG only reviewed the CBA for\nits overall content. We believe the CBA is unclear on how SSA obtained and verified\nthe project\xe2\x80\x99s costs and processing times (See Attachment B). For example, we saw no\nevidence that the Electronic Disability Collection System\xe2\x80\x99s costs were verified; yet these\ncosts and the corresponding projected savings are major factors in the AeDib project.\nFurthermore, the costs to store the back-up of electronic data are excluded from the\nCBA. The storing of back-up data could also be a substantial cost of the project with up\nto 270 pages of scanned data for each claimant in addition to the backup of initial and\npost-entitlement claims information.\n\n\n1\n  OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, p. 7.\n2\n  NIST Special Publication 800-12, An Introduction to Computer Security, section 7.1, p. 59.\n3\n  PRIDE, Security Processes, Security Task Definitions, page 2.\n\x0cPage 3 - Martin H. Gerry\n\n\nOversight of the AeDib System by its Steering Committee\n\nThe AeDib Steering Committee and the Associate Commissioners Electronic Service\nDelivery Steering Committee need more oversight of AeDib. A number of AeDib\nSteering Committee meetings have been cancelled; for example, the Committee had\nonly one meeting from June 4, 2002 through August 26, 2002. Since SSA accelerated\nthe completion time for the AeDib system to January 2004, we believe it is essential the\nSteering Committee meet on a regular basis. We informed the then Chairperson of the\nCommittee of our concern, and as a result, the AeDib Steering Committee has resumed\nmeeting on a regular basis.\n\nThe AeDib Project Plan\n\nThe initial AeDib project plan projected the start and stop dates for systems work (see\nAttachment C) but did not include times necessary for important deliverables such as\nfunctional requirements or systems security that should be in place before the system\ngoes into production. We informed the Committee of our concerns, and the appropriate\nstaff took immediate action to issue a revised project plan for the AeDib system, which\nincluded the additional dates.\n\nProject Scope Agreement for Enterprise Document and Imaging Management\nArchitecture for the AeDib Project\n\nThe PSA provides a timeline for the completion of scanning paper documents into the\nAeDib System. The Office of Systems sent this document to other Agency components\nfor comment. The OIG had numerous concerns regarding deferring the full\nimplementation of the security/internal controls (see Attachment D). The document\nproposed deferring such basic and essential controls as an automated audit trail and\nthe ability to \xe2\x80\x9clock\xe2\x80\x9d a document to prevent further inappropriate annotation or\nmodification to that document. Numerous SSA components agreed that the system\nshould not be placed into production without at least basic internal controls. Because of\nthese comments, the Committee reassessed the need for internal controls in the\nsystem. As a result, the Agency worked with a contractor and enhanced controls in its\nEDIMA System for the AeDib Project. OIG, however, still expressed reservations\nprimarily concerning the possible implementation of controls without benefit of the\nrequired risk assessment and plans the Agency may have to eliminate the wet\nsignature, without compensating controls.\n\nHowever, the December 5, 2002, EDIMA requirements no longer called for the\ndestruction of paper documents. As mentioned above, at the December 17, 2002\nAeDib Steering Committee, it was announced that based on the recommendations of\nthe OIG, the Agency will include a risk assessment of EDIMA in its overall risk\nassessment of the AeDib system.\n\x0cPage 4 - Martin H. Gerry\n\n\nInternal Controls Necessary in Scanning of Hardcopy Disability Evidence at\nRemote Sites\n\nThe AeDib CBA calls for the Agency to contract out the scanning of hardcopy disability\ndocuments received into the electronic folder as part of its disability process. If SSA\ncontracts out the scanning of hardcopy disability documents, the Agency will need\nsufficient procedures to establish that the scanned evidence was reliable. The following\nare important considerations needed when contracting out the scanning of hardcopy\ndisability documents:\n\n    \xc2\xb7    A protocol is necessary to ensure procedures are consistently applied at every\n         processing site.\n    \xc2\xb7    If litigation occurs, the Agency might need an expert who could testify as to how\n         the process works and why it is reliable.\n    \xc2\xb7    Once the contractor captures the record, there should be controls in place to limit\n         alteration of the record.\n    \xc2\xb7    There should be a record of the person capturing the form, which also shows\n         how the record was received and on which date. There should be an audit trail\n         to trace any later changes to the document.\n    \xc2\xb7    The medium on which the contractor retains the form should be secure yet easily\n         accessible to SSA. The contractor should back up the information.\n    \xc2\xb7    The contractor should fully understand legal privacy protections afforded this\n         information. The contract should specify responsibilities, liabilities and recourse.\n    \xc2\xb7    The contractor should capture the documents in their entirety. Paper copies\n         should be retained whenever there is suspected fraud.4\n\nShould the Agency decide to perform the scanning function in-house, many of these\nsame procedures will still apply to the electronic process.\n\n\n\n\n4\n While the extent of internal controls should be risk-based, the Agency should maintain, at a minimum, a system\nsufficiently reliable to successfully prosecute those who commit fraudulent acts against SSA\xe2\x80\x99s programs. Doing\notherwise puts at-risk the Agency\xe2\x80\x99s assertion that its internal controls are adequate and whether SSA will continue to\nreceive an unqualified opinion on its financial statements. The maintenance of an adequate internal control process\nis essential if the Agency is to remove the information protection reportable condition on its financial statements and\nthe General Accounting Office\xe2\x80\x99s designation of the title XVI program as high-risk.\n\x0cPage 5 - Martin H. Gerry\n\n\nWe believe this assessment will assist the Agency to enhance the eDib systems\ndevelopment process. We gathered our information in Baltimore, Maryland. There is\nno expectation for the Agency to formally respond to this document. We look forward to\nour future participation in the AeDib Steering Committee. If you have any questions or\ncomments, please call me or have your staff contact Kitt Winter, Director, Data Analysis\nand Technology Audit Division at (410) 965-9702, or Al Darago at (410) 965-9710.\n\n\n\n\n                                               Steven L. Schaeffer\n\nAttachments\n\ncc:\nInspector General\nChair, AeDib Steering Committee\nCandace Skurnik, Acting Director\nManagement Analysis and Audit Program Support Staff\n\x0c                                                                               ATTACHMENT A\n                                                                                  PAGE 1 OF 2\n\nDecember 13, 2001\n\nNOTE TO: Nancy Webb\n\nSUBJECT: Comments on the Booz Allen & Hamilton eDib Program Management Plan\n\n\nWe believe that the Booz Allen & Hamilton November 30, 2001, eDib Management Plan is\nmuch improved over the initial Management Plans and addresses many of our prior comments\nmade to the Office of Disability. Specifically, it includes a risk assessment, key initiative and a\nDisability Case Intake Process Plan. While much is still left unanswered until the project moves\nfurther along, it appears that internal controls and security will be addressed.\n\nWe will continue to work with the eDib Steering Committee on the Management Plan, which is\ndescribed as a \xe2\x80\x9cliving document.\xe2\x80\x9d One of our main concerns is that the eDib Risk Management\nPlan stresses managerial risks associated with completing the project and does not address the\nrisks in the eDib system not possessing adequate internal controls. Appendix H titled the\n\xe2\x80\x9cDisability Case Intake Process Plan,\xe2\x80\x9d however, does call for a technical risk assessment\nthroughout the eDib process including in the requirements phase. We will reevaluate the\nproposed internal controls in the eDib System once all of the planning documents are completed\nand again at the requirements phase of the process. As we have stated in the past, the eDib\nsystem needs to have adequate internal controls and security over information, especially with\nrespect to establishing compensating controls, such as an audit trail, along with any plans to\neliminate the \xe2\x80\x9cwet signature\xe2\x80\x9d from the application process. Elimination of any of the current\ninternal controls and implementation of any new controls needs to be based on a comprehensive\nrisk assessment.\n\nWe prepared these suggestions to help facilitate the eDib systems development process. There is\nno expectation for the Agency to formally respond to these suggestions. We look forward to\nworking with SSA as the eDib system is implemented. If you have any questions or comments,\nplease call me or have your staff contact Kitt Winter, Director, Systems Audit Division at\n(410) 965-9702.\n\n\n\n\n                                        Steven L. Schaeffer\n\x0c                                                                           ATTACHMENT A\n                                                                              PAGE 2 OF 2\n\n                   Office of the Inspector General\nComments on the Booz, Allen & Hamilton eDib Program Management Plan\n\n   PAGE                                           COMMENTS\nES-3          Consider adding the issue of Public Key Infrastructure and electronic signature\n              as one of the projects under the eDib Delivery Strategy\nII-7          Under business needs we should include the ability to prosecute offenders, and\n              material sufficient for appeals to OHA\nV-7           Under the Quality Assurance and Evaluation we should include a post-\n              implementation review as called for under the Clinger-Cohen Act.\nAppendix A    Include the risk assessment as a separate task\nAppendix C    The issue of developing and placing of information management needs by OIM\n              should be addressed in the Key Initiative Plan\nAppendix C    The Interfacing of Internet Claims should be discussed\nAppendix E,   Included in the risk assessment should be risks from fraud, penetration of\nTable E-2     systems by hackers, complexity in the use of several DDS systems and the\n              ability to comply with HIPAA.\nAppendix C,   If the goal is to only input key data fields once, can we still accept\npage 2        scanning/imaging of handwritten information on the 3368 (self-help) form?\n              Also, how can scanned/imaged data be modified?\nAppendix C,   Does the estimate for savings include the conversion of pre-Electronic Folders to\npage 2        electronic formats? What is the plan for converting existing paper folders to\n              electronic versions?\n              Since this document was created in February 2001, some of the items that are\n              shown as future events should have already occurred. Should notes be inserted\n              to provide more current information? For example, on page 6, has OWA\nAppendix C\n              finished its review of the impact eDib has on the Delaware processing times?\n              On page 15, how many AS-400 conversions have occurred? On page 23, when\n              will SSA convert to Office 2000 (it did not occur by the end of FY 2000)?\nAppendix C,   Could the assumptions and underlying calculations supporting the cost-benefit\npage 37       summary be added or in a footnote, give an intranet site where this information\n              could be found?\n\x0c                                                                         ATTACHMENT B\n                                                                            PAGE 1 OF 2\n\n\n\nJune 14, 2002\n\nNOTE TO NANCY WEBB:\n\nThank you for the opportunity to comment on the Social Security Administration\xe2\x80\x99s (SSA)\nAccelerated eDib (AeDib) Cost-Benefit Analysis (CBA). The Office of the Inspector\nGeneral only reviewed the CBA for its overall content, and did not conduct an audit of\nthe document. We therefore, do not express a formal opinion on the CBA at this time.\n\nThe CBA prepared by Booz Allen Hamilton, is comprehensive and provides a\nfoundation for moving forward in additional planning and analysis. We have the\nfollowing comments regarding the SSA AeDib version 2.0a CBA.\n\n                       Office of the Inspector General\n          Comments on the Booz, Allen & Hamilton eDib Cost Benefit Analysis\n SLIDE                                              COMMENT\n overall     The cost of scanning evidence and the accompanying requirements in the\n   the       contract regarding internal controls in place to ensure the reliability of\nscanning     scanned data should provide assurance to convince a court that the\ncontract     scanned evidence is reliable. In addition, the following are important\n             considerations when dealing with contractors working with electronic\n             services.\n                  \xc2\xb7 SSA needs to set up a protocol, and ensure consistent application\n                     across the board. If a trial occurred, the Agency might need an expert\n                     who could testify as to how the process works and why it is reliable.\n                  \xc2\xb7 Once the contractor captures the record, there should be controls in\n                     place to limit its alterability.\n                  \xc2\xb7 There should be a record of the person capturing the form, which also\n                     shows how the record was received and on which date. There should\n                     be an audit trail for any later changes to the document.\n                  \xc2\xb7 The medium on which the contractor retains the form should be\n                     secure and easily accessible to SSA. The contractor should back-up\n                     the information.\n                  \xc2\xb7 The contractor should fully understand legal privacy protections\n                     afforded this information. The contract should specify responsibilities,\n                     liabilities and recourse.\n                  \xc2\xb7 The contractor should capture the documents in their entirety.\n                  \xc2\xb7 Paper copies should be retained whenever there is suspected fraud.\nOverall      It is not clear where you obtained and how you verified the projects planning,\n             acquisition, operations and maintenance costs.\nPage 5       The security costs should be based on a comprehensive risk analysis.\nPage 16      It is not clear where you obtained and how you verified the costs and\n             processing times to perform this analysis of processing time.\n\x0c                                                                      ATTACHMENT B\n                                                                         PAGE 2 OF 2\n\n SLIDE                                       COMMENT\nPage 19    Version 2.0 of the implementation plan calls for full implementation in\n           FY 2007, while 100 percent of the benefits begin in the third year and\n           beyond. Also, doesn\xe2\x80\x99t full implementation in FY 2007 conflict with the\n           Commissioner\xe2\x80\x99s direction of full completion by December 2003?\nPage 28    We are concerned because Booz Allen Hamilton have not yet verified the\n           EDCS costs, yet these costs and the corresponding projected savings are a\n           major factor in the Accelerated eDib project.\nPage 50    We have concerns that SSA will not meet its scheduled implementation\n           dates for the IBM AS400 computers. The consequences of not meeting this\n           schedule should be addressed.\nPage 86    The costs to store the backup of electronic data seem to be excluded and\n           could be a major undertaking with up to 270 pages of scanned data for each\n           claimant in addition to the initial and postentitlement claims information.\nPage 105   Under business to Government, for the benefit of business, we should\n           attempt to accept standard protocols to be used by business under HIPAA.\n\nIf you have any questions about our comments, you may contact me at 410-965-9701,\nKitt Winter (965-9702), or Al Darago (965-9710).\n\n\n\n                                 Sincerely,\n\n\n\n                                 Steven L. Schaeffer\n\x0c                                                                          ATTACHMENT C\n                                                                             PAGE 1 OF 3\n\n\n                                       AeDib Timeline\n                                         05/03/02\nInternet Disability\nThe Internet disability applications collects information currently gathered from the\nagency's paper disability form. The initial release, I3368 will collect medical and work\nhistory from disability claimants. Additional applications will be developed to support\nthe disability process. These applications will collect supplemental disability and more\ndetailed work information, information about childhood disabilities, and information\nrequired for subsequent appeal processes. Internet Disability will improve service to the\npublic, compensate for resource losses and workload increases, improve the disability\nreport collection process, and contribute to meeting the Government paper Elimination\nAct requirements.\nDate         Milestone\n8/02         Production Ready for Initial Functionality of I3368\n1/03         Production Ready for Internet I827\n4/03         Production Ready for Fully Functional I3368\n7/03         Production Ready for Internet I3820\n11/03        Production Ready for Internet I3369\n12/03        Production Ready for Internet I3441\n12/03        Production Ready for Internet I454, I4486, I4631\n\nElectronic Disability Collect System ver 4.2.2\nElectronic Disability Collect System (EDCS) provides the means for our employees to\ncollect information about a claimant\xe2\x80\x99s disability. EDCS 4.2.2 is a technical release to\nconvert the EDCS from a client/server application to an intranet application. This\nrelease is limited to adult disability cases at the initial adjudicative level.\nDate         Milestone\n7/02         Production Ready (Delaware, Texas, & California)\nElectronic Disability Collect System ver 4.2.3\nAdds the following functionality:\n1. Record of Change\n2. Subsequent Filings\n3. Alternative Methods to Populate the Medical Source Reference File\n4. Interface to the Internet 3368\nDate         Milestone\n10/02        Production Ready for Delaware, Texas, & California)\n10/02        Production ready for National Rollout\nElectronic Disability Collect System ver 5.0\nAdds the following types of disability cases\n1. Child cases at the Initial adjudicative level\n2. Reconsiderations\nDate      Milestone\n2/03      Production Ready\n\x0c                                                                          ATTACHMENT C\n                                                                             PAGE 2 OF 3\n\nElectronic Disability Collect System ver 5.1\nAdds the following:\n1. Continuing Disability Reviews\n2. Continuing Disability Reviews Reconsiderations\n3. Hearing Cases\n4. All other related forms\nDate        Milestone\n5/03        Production Ready\nElectronic Disability Collect System ver 6.0\nEDCS interface to Electronic Folder using MQSeries as the transport mechanism.\nDate        Milestone\n7/03        Production Ready\nElectronic Disability Collect System ver 6.1\nDDS and SSA Legacy Applications interface to Electronic Folder using MQSeries as\nthe transport mechanism. Includes the storage and retrieval of data to a data repository\nas well as images and other objects to the Enterprise Document Imaging Architecture\n(EDIMA).\nDate        Milestone\n12/03       Production Ready\n\nEnterprise Document Imaging Architecture\nThis project will identify and implement the document imaging architecture and\ninfrastructure required to support the AeDIB business process.\nDate        Milestone\n10/02       Architecture and Infrastructure Recommendations Documented\n10/03       Complete Procurements for EDIMA Infrastructure\n1/04        Complete EDIMA Infrastructure Installation in Required Sites\n\nAS400/Legacy Software\nThis project includes the migration of Wang/Levy states to IBM AS/400 platform;\nmigration of Levy code incorporating readiness for EFI; upgrade/replacement of\nexisting AS/400s in order to accommodate EFI; readiness of Versa, Midas, and\nindependent software systems for EFI.\n\nGroup 1 States =      VA, WV, MD, WI, IN, GA, AR, OH, OK, IA, NC, FL, NM, RI,\n                      SD, FDDS\nGroup 2 States =      KS, MA, WA, DC, KY, MT, CT, MI, CO, AZ, LA, VT, PR\nDate      Milestone\n6/02      Installation of AS/400 Complete for RI, SD, KS, MA, FDDS\n9/02      AS/400 Training Completed for RI, SD, KS, MA, FDDS\n9/02      Installation of AS/400 for DC, KY, MT, CT, MI, CO, AZ, LA, VT, PR\n10/02     VERSA and LEVY Pre-Implementation in support of EDCS 4.2.3\n12/02     AS/400 Training Completed for DC, KY, MT, CT, MI, CO, AZ, LA, VT,\n          PR\n12/02     Complete Business Process Description for NY, NE, and Midas states.\n\x0c                                                                      ATTACHMENT C\n                                                                         PAGE 3 OF 3\n\nAS400/Legacy Software\n12/02     Production Ready \xe2\x80\x9cALL\xe2\x80\x9d - Group 1 States\n10/03     Production Ready \xe2\x80\x9cALL\xe2\x80\x9d - Group 2 States\n\nThe OHA Case Processing and Management System\nThe OHA Case Processing and Management System will provide automation to the\nHearing Offices activities.\nDate      Milestone\n10/02     Determine Systems Design\n12/03     Pre-Production Implementation\n1/04      Production Ready\n\nComplete Business Process Description\nDate      Project\n6/02      OHA, Operations, Office of Quality Assurance and Office of Disability\n\x0c                                                                         ATTACHMENT D\n                                                                            PAGE 1 OF 2\n\n\n\nOctober 16, 2002\n\nNOTE TO BILL GRAY:\n\nSUBJECT: Office of the Inspector General\xe2\x80\x99s (OIG) comments regarding SSA\xe2\x80\x99s Project Scope\nAgreement (PSA) for Enterprise Document and Imaging Management Architecture (EDIMA) for\nAccelerated Electronic Disability (AeDib) Project\n\nThe Social Security Administration\xe2\x80\x99s (SSA) OIG has obtained the Agency\xe2\x80\x99s PSA for the\nEDIMA for the AeDib Project. We have discussed the PSA with various Agency staff\nand evaluated the document\xe2\x80\x99s potential effect on SSA\xe2\x80\x99s ability to assess the integrity of\nthe data this system will process and contain. Our overall comment is that we could not\nfind the internal control/security risk assessment used as a basis for the EDIMA.\nFederal requirements and the Agency\xe2\x80\x99s Project Development Resource System\n(PRIDE) call for the internal control and security requirements of major system\ndevelopment projects to be based upon a risk assessment. If the risk assessment is\navailable, it should be attached to the document to provide a point of reference for the\nsecurity/control assessments. In addition, there are some features that SSA should\nreconsider before deferring them.\n\n\xc2\xb7   Currently, the system requirements defer an audit trail that would track user access\n    to internal and external systems. An audit trail is an essential part of any new\n    system and we believe the Agency should reconsider deferring its development,\n    unless compensating controls are utilized.\n\xc2\xb7   The EDIMA also defers the ability to \xe2\x80\x9clock\xe2\x80\x9d electronic forms (e.g. Workers\n    compensation offset forms) to prevent further annotation or modification to indexing\n    fields. Lock provisions are an essential part of the internal controls necessary to\n    establish the originator of the transaction and that the transaction has not been\n    altered. These controls help ensure successful fraud prosecution.\n\xc2\xb7   The ability to restrict access to all or portions on a repository structure and to limit\n    subsequent access to read-only is deferred. To secure its data an ability to limit\n    subsequent access is essential. This deferral when combined with the deferral of\n    the audit trail and the locking feature could allow individuals to change data without\n    recording the individual that changed the data.\n\xc2\xb7   The ability to encrypt images and data documents selectively using a standard\n    encryption algorithm is also deferred. Such a control over claimant data would be\n    useful in protecting individual privacy.\n\xc2\xb7   The ability to accept digital signatures and public key infrastructure has also been\n    postponed. The Agency should begin moving forward in this area, since Federal law\n    encourages the use of electronic signatures.\n\xc2\xb7   The document does require business continuity but does not specify what\n    documents will be backed up off-site.\n\xc2\xb7   The document does not call for a structured approach to data. The Agency should\n    attempt to structure as much data as possible. Structured data would allow the\n\x0c                                                                     ATTACHMENT D\n                                                                        PAGE 2 OF 2\n\n    Agency to accumulate and gather the data for management information and future\n    processing purposes.\n\xc2\xb7   The document does not discuss any management information requirements of the\n    system.\n\nFinally, the document appears to be developed and controlled primarily by SSA\xe2\x80\x99s Office\nof Systems. If this is the case, we believe system development projects should instead\nbe user driven, because the user is most familiar with any needs that they will have\nwhen the system is operational.\n\nIf you should have any questions regarding our comments, please give me a call at\nextension 59700 or have your staff contact Al Darago on extension 59710.\n\n\n\n                                        Gale S. Stone\n\x0c"